Message content protection and conditional disclosure

ABSTRACT

Methods and systems are provided for controlling the disclosure of sensitive information. Disclosure is controlled in the sense that (a) the information is not disclosed until predefined conditions are met, such as the passage of a certain time without an authorized update request for secrecy, (b) copies of the information are protected by encryption and by widespread, unpredictable storage, so that at least one copy will be available when disclosure is required, (c) the information is kept secret until disclosure is required, and (d) when disclosure is required, the information is sent to predefined destinations such as email addresses or posted to web sites, in a predefined format.

RELATED APPLICATIONS

[0001] The present application claims the benefit of commonly ownedcopending U.S. patent application Ser. No. 60/078,175 filed Mar. 16,1998, which is incorporated herein by this reference.

FIELD OF THE INVENTION

[0002] The present invention relates to the use of computer networks toboth protect message contents by keeping them secret until a specifiedcondition occurs and to disclose the message contents in a specifiedmanner if the condition occurs. More particularly, the invention relatesto information escrow using computer networks, encryption, replication,network traversal, and other tools and techniques.

TECHNICAL BACKGROUND OF THE INVENTION

[0003] It is sometimes very important to keep certain information secretunless a particular person dies or becomes otherwise incapacitated, inwhich case the information should be disclosed in a specified way. Moregenerally, it would often be useful to keep information secret untilcertain conditions occur, and to then disclose the information in aparticular way.

[0004] Many situations illustrate the need for carefully controlleddisclosure of sensitive information. For example, consider wills andother statements made in contemplation of one's death. The contents of awill are often kept secret from most of the people identified in thewill until the person who made the will dies. Then, and only then, isthe will disclosed to the people and the institutions who are (or arenot) beneficiaries under the will.

[0005] As another example, consider information discovered by apotential whistle-blower or other witness to some wrongful act or plot.If the wrongdoing is not promptly reported to the proper authorities, awrongdoer may believe that all of the incriminating evidence can bedestroyed, and may attempt to do so, regardless of the harm inflicted onwitnesses and others, including innocent bystanders. Evidence issometimes lost because a witness is reluctant to tell others because theevidence would implicate the witness in lesser but nonetheless seriousviolations, because the evidence raises questions but is not conclusiveevidence of a crime, or because the witness does not wish to placeanyone else at risk. Thus, it would be helpful to provide a reliable wayfor a witness to preserve a description of events (and possibly otherinformation as well), without directly involving another person untildisclosure of the information becomes necessary.

[0006] Less dramatic but nonetheless important situations calling forcarefully controlled disclosure also arise in other contexts. Forinstance, a software company which licenses only object code versions ofits proprietary software may agree to make the corresponding source codeversions available to a licensee if the software company goes bankruptor discontinues support, or if some other stated condition occurs. Thesource code should be disclosed, but it should be disclosed only to thelicensee and only when the stated conditions occur.

[0007] As another example, consider the address databases that correlatedomain names with IP addresses on the web, password databases, digitalcertificate databases, marketing databases that correlate emailaddresses with names and other demographic information, bank accountdatabases, and the many other databases that support electroniccommerce. An illicit copy of such a database could be put to manyunauthorized purposes, so backup copies should be stored securely. Onthe other hand, authorized system personnel should have ready access toa copy if necessary to restore operation of the system.

[0008] Accordingly, mirroring servers, compressed archives, and otherbackup tools and techniques are used to create frequent backups and todisperse them geographically to reduce the risk of losing the data.Physical security methods ranging from locked doors to dismountedmagnetic tapes to watchdogs are also used, to make sure the backup isavailable only to authorized system administrators.

[0009] More generally, current approaches to controlled disclosure ofsensitive information often involve asking someone to act as a guardianof the information. The guardian role may be filled by a coworker,friend, relative, spouse, attorney, journalist, escrow agent, or otherperson. The guardian is asked to receive the information, to hold it instrict secrecy until some stated condition occurs (typically death,bankruptcy, data loss, or other incapacitation), and to then disclosethe information to one or more persons who have previously beenidentified or described by the person who places the information in theguardian's care.

[0010] Unfortunately, present guardianship approaches are vulnerable tonatural disasters, wars, terrorist attacks, or even more mundaneproblems such as record-keeping errors or satellite failures. Suchevents may destroy all copies of the information. They may also make thecopies difficult or impossible to locate, or result in premature ormisdirected disclosure of the information.

[0011] Guardianship may also fail in other ways. Even if a guardian hasthe best of intentions, the guardian's copy of the information may belost or destroyed despite the guardian's efforts. If the information issufficiently valuable and is perceived to be vulnerable, then theguardian may be the target of extreme efforts, either to preventdisclosure of the information or to obtain unauthorized access to theinformation. Moreover, approaches which rely on professional escrowagents or attorneys as guardians tend to be relatively expensive,inconvenient, or both.

[0012] Modern computer technology provides many tools for managinginformation, so it is reasonable to ask whether some form of automationmight help guardians. However, the diversity of techniques and devicesavailable makes it difficult to determine which tools and techniques arerelevant to the problem at hand. To give but a few examples of theavailable technologies: user interfaces make it easier to controlsoftware and hardware; hardware advances make it possible to create evermore complex and adaptable systems; networks (both wired and wireless)connect computers at different locations with different levels ofsecurity; platform-independent libraries and languages help makefunctionally compatible software available throughout a network;visualization tools help present information to viewers in meaningfulways; databases organize information in a way that promotes analysis ofthe information and provides access to the information; web crawlerscreate indexes which help locate information; artificial intelligencetechniques help process information; identification, authentication, andencryption methods help keep information secret from unauthorizedviewers and/or detect tampering; fault-tolerant systems, replicationmethods, and archival techniques each provide some assurance thatanother copy of critical data will be available if a given server orlink goes down; programming languages and other development toolsencourage experimentation and rapid development of prototype computersystems; and tools and economic incentives promote the commercializationand adoption of new computer software and hardware products. Thedifficulty lies in determining which techniques are useful forcontrolling disclosure, and how to adapt or combine them for such use.

[0013] In short, it would be an advancement to provide an approach whichdraws on relevant computer technology tools and techniques and combinesor develops them in new ways to improve control over the disclosure ofsensitive information.

[0014] Such an approach is disclosed and claimed herein.

BRIEF SUMMARY OF THE INVENTION

[0015] The present invention relates to methods, articles, signals, andsystems for controlling the disclosure of sensitive information. Becausethe invention could be used in so many different situations, informationis considered “sensitive” if an information provider chooses to use theinvention to control its disclosure. The invention hides copies ofsensitive information in networks to prevent destruction of every copy,and discloses the information in a specified way if specified conditionsoccur. Metaphorically, the invention provides a “hidden choir” whichwill sing when desired and otherwise remain silently ready in thebackground.

[0016] In some embodiments, the invention is implemented with computersoftware which runs on standard computer hardware. In other embodiments,the invention takes advantage of special-purpose hardware such asbiometric scanners. But in each case, the invention helps control thedisclosure of sensitive information provided by users, and it does so ina way that goes beyond merely denying access to unauthorized users.

[0017] Disclosure is controlled in the sense that (a) the information isnot disclosed until specified conditions are met, (b) copies of theinformation are protected so that at least one copy is likely to beavailable when disclosure is required, (c) the information is keptsecret until disclosure is required, and (d) when disclosure isrequired, the information is disclosed by being sent to specifieddestinations. Authorized deletion of the information copies may also becontrolled.

[0018] While awaiting a disclosure trigger and/or a deletion trigger(either or both of which may never occur in some cases), the informationis protected against inadvertent or premature disclosure. Protection isprovided by encryption, by dividing the information between messagesstored at different locations, and/or by omitting clues that wouldreveal the full import of the stored information.

[0019] For instance, the invention may be used to control disclosuresuch that (a) sensitive information is not disclosed until theincapacitation or death of the information's source is noted in twoseparate public sources, (b) thousands of copies of the information arespread in an apparently unpredictable and unrecorded manner throughout aglobal computer network so that even if many copies are lost ordestroyed, at least one copy will probably still be available whendisclosure is required, (c) each copy is encrypted so the informationremains secret until disclosure is required, and (d) when disclosure isrequired, at least one copy of the information is sent within apredetermined time period to each predefined destination, such as anemail address or a web site, either in a plain text format or encryptedwith a public key corresponding to the destination.

[0020] In particular, suppose Pat Elder wants to control disclosure of alast will and testament. Using software according to one embodiment ofthe invention, Pat can create dozens or hundreds of encrypted copies ofthe will in hidden locations around the world, so that many copies wouldsurvive an earthquake or flood that destroys Pat's hometown (includingPat's home, Pat's bank, and Pat's attorney's office). After consultingan attorney, Pat decides that copies of the will should be emailed toeach of Pat's children, to Pat's attorney, and to the local courthouseif Pat does not respond within one week to a regular monthly inquiryfrom the invention. A response will not be accepted by the invention asauthentic unless it includes information that (a) identifies Pat as itssource, and (b) ensures that a copy of an earlier response from Pat isnot being submitted by someone else in an attempt to trick the system.As part of the controlled disclosure, each copy of the last will andtestament will be signed using Pat's public key; the copy emailed to thecourthouse will be in plain text (decrypted), and each of the othercopies will be encrypted using the recipient's public key.

[0021] The invention may also be used to escrow source code, legaldocuments, and other confidential or proprietary information.Accordingly, disclosure may be conditioned on bankruptcy filings, stockprices, news wire stories, and a wide range of other publicly availableinformation. Sources being monitored to determine whether disclosurecondition exists may be widely available, such as public media, or theymay be specific web sites or news groups.

[0022] Conditions and constraints may also be placed on deletion of theescrowed information. For instance, in some embodiments users whoprovide sensitive information to the system cannot retract it later,even if they establish themselves as the information providers. In someembodiments, sensitive information is automatically deleted if it hasnot been disclosed after a certain period of time; in some it is deletedif some other deletion condition occurs. Combinations of disclosure anddeletion conditions are also possible. Other features and advantages ofthe present invention will become more fully apparent through thefollowing description.

BRIEF DESCRIPTION OF THE DRAWINGS

[0023] To illustrate the manner in which the advantages and features ofthe invention are obtained, a more particular description of theinvention will be given with reference to the attached drawings. Thesedrawings only illustrate selected aspects of the invention and thus donot limit the invention's scope. In the drawings:

[0024]FIG. 1 is a diagram illustrating one of many networks suitable foruse according to the present invention.

[0025]FIG. 2 is an introductory flowchart illustrating methods of thepresent invention.

[0026]FIG. 3 is a flowchart illustrating a message accepting step of theinvention.

[0027]FIG. 4 is a diagram illustrating a message format according to theinvention.

[0028]FIG. 5 is a diagram illustrating another message format of theinvention.

[0029]FIG. 6 is a flowchart illustrating methods of the invention forcontrolling information disclosure using roving messages.

[0030]FIG. 7 is a flowchart illustrating methods of the invention forcontrolling information disclosure using roving messages and messageupdates.

[0031]FIG. 8 is a flowchart illustrating methods of the invention forcontrolling information disclosure using poised messages.

[0032]FIG. 9 is a flowchart illustrating methods of the invention forcontrolling information disclosure using poised messages and messageupdates.

[0033]FIG. 10 is a diagram illustrating a message update formataccording to the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0034] In describing methods, devices, signals, and systems according tothe invention, the meaning of several important terms is clarified; theclaims must be read with careful attention to these clarifications.Specific examples are given to illustrate aspects of the invention, butthose of skill in the relevant art(s) will understand that otherexamples may also fall within the meaning of the terms used, and hencewithin the scope of one or more claims. Important terms are defined,either explicitly or implicitly, both here in the specification andelsewhere in the application file.

[0035] Computer Network

[0036]FIG. 1 illustrates a network 100 which is one of the many computernetworks suitable for use according to the invention. Suitable networksinclude one or more local area networks, wide area networks,metropolitan area networks, and/or “Internet” or IP networks such as theWorld Wide Web, a private Internet, a secure Internet, a value-addednetwork, a virtual private network, an extranet, an intranet, or evenstandalone machines which communicate with other machines by physicaltransport of media (a so-called “sneakernet”). In particular, a suitablenetwork may be formed from parts or entireties of two or more othernetworks, including networks using disparate hardware and networkcommunication technologies.

[0037] In many cases, a geographically dispersed network, up to andincluding a global computer network such as the Internet which includesnodes on different continents, is preferred because additional storagelocations and physical separation of storage locations and variations intheir surroundings (electronic and managerial) enhance the survivalprospects for a given piece of information that is spread through thenetwork according to the invention. “Geographically dispersed” means thenetwork includes two nodes which are at least ten miles apart. However,more localized networks like the network 100 may also be used.

[0038] The network 100 includes a server 102 and several clients 104;other suitable networks may contain other combinations of servers,clients, and/or peer-to-peer nodes, and a given computer may functionboth as a client and as a server. Each network includes at least twocomputers such as the server 102 and/or clients 104. A computer may be aworkstation, laptop computer, disconnectable mobile computer, server,mainframe, cluster, so-called “network computer” or “thin client”,personal digital assistant or other hand-held computing device, “smart”consumer electronics device or appliance, or a combination thereof.

[0039] Each computer includes at least a processor and a memory;computers may also include input devices and/or output devices. Theprocessor may include a general purpose device such as a 80x86, Pentium(mark of Intel), 680x0, or other “off-the-shelf” microprocessor. Theprocessor may include a special purpose processing device such as anASIC, PAL, PLA, PLD, or other customized or programmable device. Thememory may include static RAM, dynamic RAM, flash memory, ROM, CD-ROM,disk, tape, magnetic, optical, or other computer storage medium. Theinput device may include a keyboard, mouse, touch screen, light pen,tablet, microphone, sensor, or other hardware with accompanying firmwareand/or software. The output device may include a monitor or otherdisplay, printer, speech or text synthesizer, switch, signal line, orother hardware with accompanying firmware and/or software.

[0040] The network may include communications or networking softwaresuch as the software available from Novell, Microsoft, Artisoft, andother vendors, and may operate using TCP/IP, SPX, IPX, and otherprotocols over twisted pair, coaxial, or optical fiber cables, telephonelines, satellites, microwave relays, modulated AC power lines, physicalmedia transfer, and/or other data transmission “wires” 108 known tothose of skill in the art. The network may encompass smaller networksand/or be connectable to other networks through a gateway or similarmechanism.

[0041] As suggested by FIG. 1, at least one of the computers is capableof using a floppy drive, tape drive, optical drive, magneto-opticaldrive, or other means to read a storage medium 106. A suitable storagemedium 106 includes a magnetic, optical, or other computer-readablestorage device having a specific physical configuration. Suitablestorage devices include floppy disks, hard disks, tape, CD-ROMs, PROMs,random access memory, flash memory, and other computer system storagedevices. The physical configuration represents data and instructionswhich cause the computer system to operate in a specific and predefinedmanner as described herein. Thus, the medium 106 tangibly embodies aprogram, functions, and/or instructions that are executable bycomputer(s) to help control the disclosure of sensitive informationsubstantially as described herein. Likewise, the “wires” 108 and otherdata carriers may embody signals for controlling the disclosure ofsensitive information substantially as described herein.

[0042] Suitable software to assist in implementing the invention isreadily provided by those of skill in the pertinent art(s) using theteachings presented here and programming languages and tools such asJava, Pascal, C++, C, database languages, APIs, SDKs, assembly,firmware, microcode, and/or other languages and tools. Suitable signalformats may be embodied in analog or digital form, with or without errordetection and/or correction bits, packet headers, port IDs, socket IDS,network addresses in a specific format, and/or other supporting datareadily provided by those of skill in the pertinent art(s).

[0043] Methods Generally

[0044]FIG. 2 illustrates generally several methods of the presentinvention; other methods are illustrated elsewhere. Because theinvention provides several steps which can be combined in various ways,FIG. 2 and the other Figures are illustrative only.

[0045] As shown, the methods include steps 200 and 202 for enteringsensitive information into a computer network such as the network 100and steps 204 and 206 for disclosing the information in a desired way ifcertain conditions are detected. Some methods also include “deadmanswitch” steps 208 and 210 for ensuring that the information is disclosedwhen an expected update from the information provider (or anotherauthenticated user designated by the information provider) is notreceived on time.

[0046] More precisely, during a message accepting step 200, a piece of“hidden choir” software running on the network accepts from a usersensitive information which should be stored in one or more networks forpossible later disclosure and/or deletion under specified conditions.The sensitive information may be in plain text form, or the user mayhave encrypted and/or compressed it. The sensitive information mayinclude text, images, sounds, and/or any other information that can bestored and transmitted in digital form.

[0047] The user may be a “regular” user, or a user who logs in only touse the inventive software, or a system administrator, for instance. Auser may be a person, or a user may be a software task, thread, agent,or other computer process acting legitimately on behalf of a person oron behalf of a group of people. A “person” may be an individual, acorporation, a limited liability company, a partnership, a university, agovernment agency, or another institutional entity.

[0048] In addition to providing the sensitive information, the usereither provides or ratifies instructions for the possible disclosureand/or deletion of that information. Ratification occurs when the useracquiesces in disclosure and/or deletion instructions which are providedby the system as default parameters, hard-coded methods, or otherwise.Disclosure and deletion is merely “possible” because in particular casesthe conditions that would trigger such actions might never occur.

[0049] In short, the message accepting step 200 gathers the sensitiveinformation, the disclosure and/or deletion conditions, and providesthem to a message storing step 202. The message accepting step 200 andmessage components are described further in connection with FIGS. 3through 5.

[0050] During the message storing step 202, the invention hides copiesof the sensitive information in the network 100 by creating copies ofthe message and transmitting them in various guises to various locationsin the network 100. In some cases, an information provider may know thelocation of at least some of the copies, but in general the informationprovider does not know in detail how and where the message copies arestored; in embodiments which allow the information provider to deletestored copies, the system locates the copies. The number of copies mademay vary, even by several orders of magnitude, with at least 10 or atleast 100 or at least 1000/made in various cases. The number of copiesmade is not necessarily revealed to the information provider.

[0051] In some embodiments, a relatively small number of locations(compared to the number of network nodes) is used. In others, the step202 puts copies of encrypted message content in most or all availablelocations in the network (or portion of net). In either case, a givennode may contain more than one copy of a given message, with differentcopies stored under different names and in different disguises.

[0052] The ultimate number of message copies and the path taken by eachcopy is determined dynamically. The path taken by a given copy may covera few network nodes or many network nodes, and it may be determinedrandomly and/or using information which authenticates the informationprovider. In some embodiments, one or more message copies keep travelingeither until they are destroyed or until message disclosure or deletionis triggered. Message storing steps are described further in connectionwith FIG. 6 and elsewhere.

[0053] During a testing step 204, a portion of the invention checksstored messages to determine if they should be disclosed. This may beimplemented in various ways. One or more searching message update agentsmay travel specified regions of the network in an exhaustive pathlooking for message copies and checking any message copies encountered;searching updates are not directed at a specific message copy. Updateagents or update instructions directed at specific message copies mayalso be sent out along paths previously followed (at least ultimately)by those message copies, using methods similar to those employed invarious embodiments of the storing step 202. The messages themselves mayalso include code which monitors conditions to determine if disclosureor deletion is appropriate, independently of any updates.

[0054] Regardless of the manner in which disclosure is triggered, if itis triggered then during a disclosing step 206 some or all of themessage contents are sent to their destination(s) in formats which maybe predefined by the user or provided as current defaults by the system.The disclosed contents may be limited to some or all of the sensitiveinformation, or the disclosure may include additional components such asone or more of the message components discussed below in connection withFIGS. 4 and 5. The testing and disclosing steps are described in furtherdetail in connection with FIGS. 3 through 5 and elsewhere.

[0055] During an optional update accepting step 208, the illustratedembodiment accepts and authenticates updates for messages. In some casesthe update affirms that the information provider does not want thesystem to disclose any part of a given message yet, making the updateanalogous to the “deadman switch” used in a railroad or subway engine;as long as the engineer periodically pushes the deadman switch, thetrain keeps running. If the engineer has a heart attack and the switchis not pushed for some time, the train is automatically brought to ahalt. Messages may similarly be configured to be disclosed if theinformation provider does not regularly submit an authentic update. Inother cases, a message update triggers disclosure rather than preventingit. In some cases a message update triggers deletion of message copies.The update accepting step 208 and an update format are described infurther detail in connection with FIG. 10 and elsewhere.

[0056] During an update storing step 210, the software and/or hardwarecreates and stores copies of the update. In some embodiments, theinvention transmits updates to the same locations in the network as thestored message copies, or at least sends the updates along the pathstaken by the message copies. In other cases, the updates search thenetwork looking for message copies. As with the message storing step202, precautions are taken to prevent shadowing or unauthorized use oftransmitted items. The update storing step is described in furtherdetail in connection with FIG. 10 and elsewhere.

[0057] Message Acceptance

[0058] During message acceptance, a user entrusts sensitive informationto the inventive software and/or hardware for disclosure under specifiedconditions. The user is referred to here as the “information provider”with the understanding that in many embodiments the user also expresslyprovides other message content as well, such as disclosure and deletionconditions. FIG. 3 further illustrates various embodiments of themessage accepting step 200. As with other method steps, details ofcorresponding system, signal, and device components will be understoodby those of skill in the art in view of this discussion and other partsof the present specification. For instance, those of skill will readilyapply descriptions of a given method step to the construction and use ofcorresponding systems and articles that perform the step and ofcorresponding signals that embody results used by and/or produced by thestep.

[0059] During an optional provider authenticating step 300, the systemobtains information identifying the information provider and attempts toauthenticate the identification. The information provider may beidentified and/or authenticated using familiar tools and techniques. Forinstance, the information provider may be identified by a login name andauthenticated by a password. A “password” includes one or moreindividual pass words, pass phrases, biometric scan results (e.g.retinal scan, fingerprint, voiceprint), other identification methodresults, symmetric key or other cryptographic or digital signature keys,secret email or other identifying codes, GUID, and/or any other data ordevices used to protect or control access to an account or anotherresource in the system 100.

[0060] The authenticating step 300 may be omitted in some circumstances.For instance, the software may be configured to make identificationoptional; this might be combined with a requirement that a messagecannot be retracted unless identification is provided. Of course, someembodiments may be configured so that the message cannot be retractedregardless of whether identification is provided. In some embodimentsthe authenticating step 300 can be omitted if the information providerwishes to remain anonymous.

[0061] During a disclosure conditioning step 302, the system obtains thedisclosure conditions that determine when (and whether) the sensitiveinformation entrusted to the system will be disclosed. The logic ofdisclosure conditions may be relatively simple, such as “if no updatehas been received from X, Y, or Z in the past six months, then disclosethe information” or “disclose the information only if I send an updatecontaining the word ‘implode’” or “regardless of updates, disclose theinformation if any press release on site W is seen to contain the phrase‘ABC will acquire XYZ’” or even “disclose the information as soon aspossible after Jul. 11, 2060.”

[0062] The logic of disclosure conditions may also be more complex, suchas “disclose the information if a monthly search indicates that companyA receives a patent or owns a published patent application having keyphrases X, Y, or Z in the abstract or claims, or if the search indicatesthat any company has received a patent or owns a published patentapplication in classes K or L which lists M as an inventor.” This latterexample could be used to control disclosure of information which ismeant to be kept as a trade secret unless circumstances suggest it mightmore useful as prior art.

[0063] In either case, the underlying tools for determining whether adisclosure condition has occurred may be very simple or they may bequite sophisticated. By way of example only, powerful tools andtechniques may be used (a) to analyze natural language in news accountsand other electronic postings for statements describing events such asthe acquisition of a company or the death of an individual; (b) to makedeterminations of financial market health or political stability basedon news reports, market prices, and other factors; and (c) to detectspurious updates. Suitable tools and techniques are familiar to those ofskill in the arts, and no doubt additional improvements will be made insuch tools and techniques, further enhancing the power and convenienceof systems according to the invention.

[0064] During a disclosure destination targeting step 304, the softwaredetermines, at least by category and perhaps by specific address, thedisclosure destinations that will receive a copy of the information oncea disclosure condition occurs. Disclosure destinations may be specifiedby the information provider and/or by the system in a wide variety ofways. They may take the form of email addresses, web page addresses,and/or regions. Web page addresses may be listed as textual universalresource locators or as textual or binary hard-coded network addresses.When web pages are used as destinations, the information provider and/orthe system may indicate that existing web pages should be modified todisclose the information and/or indicate that new web pages containingthe information should be generated and placed at the specifiedaddresses.

[0065] In the case of regions, email addresses and/or web page addressesin the region may be obtained automatically at the time of disclosure bythe system or they may be provided earlier by the user. Blanketdisclosure to a region may be specified by requesting all availablelocations in the region, by requesting some percentage of all availablelocations, or by requesting some minimum number of locations to whichthe information will be sent. Regions may vary in size, from“Corporation XYZ” to “newsgroup A.B.C” to “USA” to “everywherepossible”. If multiple destinations are specified, by specifying aregion or otherwise, then the disclosing copies may be sent in groupsspaced out over time, or they may all be sent as nearly simultaneouslyas is technologically possible.

[0066] In some embodiments, a formatting step 306 allows users todetermine formats to be used in disclosing the information. In othercases, the formats used are selected during an embodiment of the step306 which is performed by the system without interactively requestingthe user's preferences. For instance, in one embodiment all disclosuresare in plain text (ASCII) format sent as email generated by the system.Possible formats include plain text, digitally signed, encrypted, XML orHTML, and other formats for electronic documents. Format specificationmay include the text to be placed in an email subject line in emailmessages generated by the disclosing step 206.

[0067] Web pages may also be generated, partially or entirely, duringthe disclosing step 206. If web pages are among the destinations, thenformat specification may include a request that web links to thedisclosing page be created and sent out in email messages and/or thatthe web links be embedded in identified existing pages. In someembodiments, formats are a function of the destinations. For instance,in one embodiment, email addresses receive plain ASCII text, http://URLdestinations receive HTML, and FTP sites receive plain text and HTML.

[0068] During an optional deletion conditioning step 308, the softwareobtains the deletion conditions that determine when (and whether) thesensitive information entrusted to the system will be deleted without anunauthorized intervention. Some deletion conditions may be implicit inan embodiment, such as deletion of messages after they have beendisclosed and the disclosure has been adequately acknowledged. Otherdeletion conditions may be explicitly stated by the informationprovider. The logic of deletion conditions, like the logic of disclosureconditions, may vary in complexity. The same tools and techniques usedto detect disclosure conditions may be used to detect deletionconditions.

[0069] During a sensitive content obtaining step 310, the softwareobtains the sensitive information which is to be disclosed if, and onlyif, the disclosure conditions occur. The sensitive information may beprovided to the system in plaintext form or in encrypted form. Inparticular, information disclosed by the system in response to adisclosure condition may be encrypted. For instance, a user couldprovide several other parties with decryption keys which are useful onlyin the event of disclosure by the system.

[0070] Regardless of whether the sensitive information is alreadyencrypted, the system may encrypt (or re-encrypt) the information duringan optional encrypting step 312. The disclosure conditions, formats,and/or destinations may also be encrypted. Encryption tools andtechniques are well-known in the art, and any suitable ones may be used,including without limitation public key-private key encryption,symmetric encryption, and/or encryptions described in Schneier, AppliedCryptography and other references.

[0071] The encrypted information may also be digitally signed during asigning step 314 using familiar techniques and tools, including thosedescribed in Schneier, Applied Cryptography and other references.Checksums or cyclic redundancy codes may also be used as a form of weakbut easily generated digital signature. In addition, the information maybe compressed before or after encryption and/or signing; compression isperformed during a compressing step 316 by using familiar techniques andtools.

[0072] Those of skill in the art will recognize that encryption, digitalsigning, and compression can be performed on part or all of a givenmessage, on several portions of a given message, in various nestedmanners, with different keys, and in other combinations. Those of skillwill readily identify and implement approaches that protect the secrecyand integrity of the sensitive information and the disclosure conditionsand destinations specified in messages according to the invention.

[0073] In particular, digital signatures may be used in place ofencryption if the information provider wishes to make the informationand/or conditions and/or destinations visible while still preventingtampering and still controlling disclosure of the full implications ofthe information. Sometimes the mere fact that information is encryptedwill draw unwanted attempts to decrypt or delete the information. Bycontrast, an apparently innocuous plaintext message may avoid beingtargeted.

[0074] The general lack of interest in plaintext is useful if the fullmeaning of a plaintext message becomes apparent only when one hasadditional information not found in the message itself. For instance, amessage containing nothing but three columns of numbers has littleapparent meaning. The message becomes more interesting if one learnsfrom some other source that each number in the first column identifies acontract while the second and third numbers represent the low bid andthe accepted bid, and it becomes very interesting indeed if a review ofthe circumstances involved raises a question as to why low bids weresometimes rejected.

[0075] Example Accepted Message Formats

[0076]FIGS. 4 and 5 illustrate some of the many possible formats formessages 400 which are produced by the message accepting step 200. InFIG. 4, the message 400 includes a digital signature 402 which is basedon other several components of the message 400. The components on whichthe digital signature 402 is based define a scope 404 for the signature402. The digital signature 402 reflects the content of the components inthe scope 404 of the signature in order to detect tampering with, orremoval of, such content.

[0077] In the illustrated embodiment, the scope 404 of the signature 402includes encrypted sensitive information 406, disclosure conditions 408,destinations, 410, and deletion conditions 412. The information 406 mayhave been submitted during step 310 in encrypted form, and/or it mayhave been encrypted by the inventive system during step 312. Thedisclosure conditions 408 were specified during step 302; thedestinations 410 were specified during step 304, and the deletionconditions 412 were specified during step 308.

[0078] Each of the disclosure conditions 408, destinations 410, anddeletion conditions 412 may or may not be encrypted, depending on theembodiment. For instance, it may be useful to encrypt the sensitiveinformation 406 but leave some or all of the conditions 408, 412 anddestinations 410 visible and send a notice to an interested third partywith a copy of the message 400 after the message has been stored by theinventive system. The message 400 illustrated in FIG. 4 includes noexplicit format instructions but instead contemplates that format(s) forthe disclosure are provided by the software during the formatdetermining step 306 and/or the disclosing step 206.

[0079]FIG. 5 illustrates another message 400 produced by the messageaccepting step 200. In this case, the message 400 includes travelingprogram code and/or data 500 which enables the message 400 to moveautonomously from one network node 102 and/or 104 to another. Travelingmessages 400 may be constructed using tools and techniques employed indesigning and implementing agents, web crawlers, robots, and otherfamiliar traveling programs. Instead of using traveling code 500, or inaddition to it, message 400 copies may also move from one node toanother by other means, such as conventional connections or sockets orlinks for sending and/or receiving files, servlets, applets, video,audio, email, or other data in the network 100.

[0080] In addition to traveling program code 500, messages 400 mayinclude code for taking certain actions or making certain determinationsdiscussed herein. Functionality to take such actions and/or make suchdeterminations may also be embedded in software that is located on, oris in communication with, the node on which the message 400 in questionis located. For convenience, when this description states that a message400 does something, it should therefore be understand that the codebeing executed may be stored in the message 400 in some embodiments andoutside the message 400 in others.

[0081] The message 400 in FIG. 5 also includes several components whichhave been encrypted by the software and thus lie within a systemencryption scope 502. These components include two pieces ofuser-encrypted sensitive information 504, 506;

[0082] disclosure conditions 508 for each piece of information 504, 506;destinations and formats 510 for the information 504, 506; and anidentification 512 of the information provider.

[0083]FIG. 5's message 400 illustrates the fact that in some embodimentsa message 400 guarded by the system may contain multiple pieces ofsensitive information with correspondingly flexible disclosureconditions and destinations. For instance, different pieces of sensitiveinformation might be sent to different people if disclosure istriggered, or the information pieces might be released in stages to thesame person, with each stage having its own disclosure condition(s) suchas the passage of time or the public posting of certain text at aparticular site.

[0084] Those of skill will appreciate that many other message formatsthan the ones shown in FIGS. 4 and 5 are possible with the invention. Inparticular, the illustrated components may be combined in other ways.For instance, additional digital signatures may be used, each stage of astaged disclosure may be signed, deletion conditions may be encrypted,selected components or the message as a whole may be compressed,information provider keys or credentials or otheridentification/authentication components may be included or omitted,creation timestamps and locations may be included or omitted, andmultiple message 400 formats (as well as multiple message copies in agiven format 400) may include the same sensitive information.

[0085] Message Storage Generally

[0086] During message storage, the system stores copies of the acceptedmessage(s). Message storage according to the present invention takes adifferent approach than conventional escrow methods. A conventionalescrow system stores items from many different sources in a singlesecure vault, or at most a small number of such vaults. A conventionalescrow service typically has a single vault in a given region orcountry, and it relies on strong physical security measures such assteel safes, human guards, and the like. Conventional escrow servicesalso place great weight on control over physical conditions such astemperature and humidity. Moreover, access to stored items, anddisclosure of stored items, is through the human escrow agent. Multipleinstances of an item are not necessarily stored, because of limitedspace considerations and consequently higher costs. There are otherdifferences as well.

[0087] By contrast, a system according to the invention may benefit fromphysical security measures, but it does not rely on them as theprincipal means for ensuring survival of stored information. Instead,the invention takes advantage of the size and scope of networks,particularly global networks such as the Internet or large corporatenetworks having many nodes dispersed over a variety of platforms andlocations. The invention stores copies of sensitive information on manynodes, in locations which are difficult or impossible to determinewithout authorization (and in some embodiments, even with authorizationfrom the information provider). Thus, even a determined attack isunlikely to locate and destroy all copies. Disclosure may also be fullyautomated.

[0088] Moreover, in some embodiments a given message 400 containsinformation from more than one source, and users are informed of this.Thus, an attacker who deletes a copy of a message 400 does notnecessarily know the identity of all information providers beingattacked. This forces the attacker to risk the wrath of unknown parties.In one variation, individuals or small businesses can purchase space inmessages 400 from more powerful entities, so their information 406, 504,506 is interleaved with that of the more powerful entity. The powerfulentity may or may not view the information it stores in this interleavedmanner as particularly important in and of itself; the powerful entitymay simply be lending its strength and reputation—at a price—to helpdiscourage tampering with the information of others.

[0089] Message storage according to the invention may be accomplished invarious ways. Two general approaches in the form of “roving messages”and “poised messages” are described below, but other approaches whichprovide controlled disclosure by utilizing a network for informationescrow according to the teachings herein also fall within the scope ofthe claimed invention.

[0090] Roving Message Storage

[0091]FIGS. 6 and 7 illustrate methods employing a “roving message”approach to the message storing step 202. Roving messages may beimplemented with traveling program code and/or data 500, or without it;the term “roving” is used in contrast with the term “poised” discussedlater. Briefly, roving messages are implemented by making message 400copies travel from node to node indefinitely until disclosure ordeletion. Poised messages, on the other hand, may initially traverse oneor several nodes, but do so in order to reach a specific destinationand, once there, stay put until disclosure or deletion.

[0092] In order to better illustrate the update steps 208, 210, assumethat embodiments according to FIG. 7 use disclosure conditions and/ordeletion conditions which depend on at least one update, whileembodiments according to FIG. 6 do not. In practice, a given inventivesystem may employ approaches shown in either or both Figures.

[0093] A roving message storage step 600, which is one type of messagestoring step 202, starts by obtaining the address of a next targetlocation. This may be accomplished by an address generating step 602, anaddress selecting step 604, or a combination of the two steps. Anaddress may be in the form of an IP address, Ethernet address, URL,email address, and/or other network address which identifies a physicalor virtual node, and may include a directory path component and/or afile disguise (e.g., use of *.c, *.cpp naming conventions and/orinternal syntax) which further specify how to store a message 400 copyon a given node. FIG. 6 refers to a “next” location, but it will beappreciated that when the system first stores a newly accepted message400, the “next” location is also the first location.

[0094] The address generating step 602 works best when valid addressesare relatively dense in the space of possible system 100 addresses,since the step 602 proceeds by generating an address whose syntax iscorrect but which does not necessarily correspond to any presentlyreachable location. For instance, if the syntactic range for IPaddresses is assumed to be 1.0.0.0 to 239.255.255.255, then thegenerating step 602 could proceed by generating four random numbers,pinning or truncating them to the indicated ranges (1..239, 0..255,0..255, and 0..255), and adjoining them to form an IP address.Alternatively, one large random number could be sliced to form the IPaddress by using the first eight bits for the first part of the address,the next eight bits for the next part, and so on, with appropriaterounding or truncation to fall within the required ranges.

[0095] Instead of generating an address with the right syntax that mayor may not be valid, the address selecting step 604 selects an addressfrom a list or table of addresses that were, at least at one time, bothsyntactically correct and valid (reachable from the present location).Those of skill in the art will understand how to obtain such addresslists from routers or other sources and how to verify the syntax of agiven address. The table of addresses may vary in size. Tables havingmany entries make messages 400 harder to locate and destroy, but theyalso require more storage space in messages 400 and their correspondingupdates 1000.

[0096] Instead of using a random number, or in addition to using one ormore random numbers, the address could also be generated during step 602or selected during step 604 by using the identification orauthentication information obtained during step 300. For instance, iflack of a timely update can trigger disclosure (as presumed in FIG. 7)then steps 602 and 604 provide addresses in a manner that depends on theauthentication information provided when the message was stored. Thatsame authentication information must be provided with each update. Ifthe authentication information is provided correctly, then the updatecan follow the path of the original message (spawning additional copiesjust as the original message did), find each copy of the originalmessage, and prevent disclosure. If proper authentication information isnot provided, then at least one copy of the message 400 will not receivean update and disclosure will be triggered.

[0097] On the other hand, if the disclosure and deletion conditions areindependent of message updates (as presumed in FIG. 6), then steps 602and 604 provide addresses in a random or quasi-random manner. Hashfunctions, random number generators, and other familiar tools may beused. For instance, the address generating step 602 may generate a setof quasi-random numbers in the appropriate ranges and adjoin them toform the next IP address, Ethernet address, or other address; theaddress selecting step 604 may generate a single quasi-random number anduse it to index the table of addresses to select the next address.

[0098] To provide addresses in a manner that depends on theauthentication information, step 602 may interpret the first N bits ofauthentication information as an N-bit address. Alternatively, step 602may interpret M bits of authentication information as part of a N-bitaddress (N>M), with the rest of the address chosen in a predeterminedmanner to improve the chance of generating a valid reachable address.For instance, in an IP address the leftmost component might be taken tobe the same as the current address, while the other components are takenfrom the authentication information.

[0099] Of course, many variations are possible when mappingauthentication information to network addresses during step 602,including manipulating the authentication information to reduce orremove long strings of zeroes and long strings of ones before selectingthe N bits, selecting the N bits from within the authenticationinformation bit-string instead of from the end, making the next addressa function of both the authentication information and the currentaddress, and so on. Similar considerations apply to the use ofauthentication information as an index into a table of addresses duringstep 604. Whatever implementation is used, however, must be reproducibleby an authentic update so it can follow the message copies, and shouldalso be difficult to deduce or reproduce without the authenticationinformation so that unauthorized updates are prevented.

[0100] During a creation trying step 606, the system tries to create acopy of the message 400 at the address provided by step 602 or step 604.This may be done by the message itself through traveling code, or bytransmission of a message 400 copy in a file to code residing on thetarget node, or by other data transmission means. If the attempt fails,another address is obtained by repeating step 602 or step 604. Theattempt may fail because the address is not valid, or the address may bevalid but the node at that address may be down or it may refuse incomingmessage copies, for instance. If updates are not involved (FIG. 6), thenadditional addresses may be obtained (steps 602, 604) and tried (step606) until the message 400 is successfully copied during step 606.

[0101] A similar loop may be performed when updates are involved (FIG.7). However, there are additional considerations. Suppose one or moreaddresses were not valid when tried by the message but are valid whentried later by the update(s); node(s) may have been added or one or moreaddress assignments may have changed. Indeed, address syntax may havechanged. Then the updates may follow a path not taken by the messagecopies, and the risk of unwanted behavior arises. The concern alsoarises if a node was down, or was configured to refuse messages 400 (byblocking out traveling programs, for instance) when tested by themessage, but is now back up and will accept the update.

[0102] One apparent solution is to simply make the updates 1000 followevery possible path. However, proliferating so many updates could placeunacceptable burdens on the network 100. Better approaches are possible.For instance, the message 400 may leave a digitally signed (and possiblyencrypted) marker for the update 1000, indicating that the message 400is taking the Kth address from a list of addresses known to the messageand the update. The list of addresses may be carried by the message 400and the update 1000 or the list may be resident at the node, possibly indisguised or encrypted form. Since the update obtains addresses usingthe same algorithms and seeds (authentication information and/or currentaddress, for instance) as the original message, this provides enoughdata for the update 1000 to follow the message 400 without revealing thepath to unauthorized users. Alternatively, the address itself may beprovided, stored on the node in an obscure file in encrypted orfile-disguised form. If a file disguise is used, then the disguisingfile name and/or syntactic format preferably correspond to a file typewhich tends not to be deleted, such as *.exe or *.dll or administrativefiles. For instance, the address could be placed in an otherwise unuseddata block in an executable file that simply prints the current date.

[0103] Yet another approach puts a small cap on the number of addressestried during the loop through steps 602 to 606. For instance, if a validaddress is not selected in three tries, the message 400 copy stopstraveling. The updates 1000 then propagate, but not as rapidly, becausethey only need to explore the first three addresses at each node; alimit may also be put on the maximum number of hops a message 400 copycan take.

[0104] A “hop” for purposes of the present invention is not necessarilya packet-level or data link layer hop. Rather, a hop is a movement ofmessages 400 or updates 1000 between two nodes whose addresses areexpressly known to the message 400 or the update 1000, respectively. Atlower levels of abstraction, the network operating system or othercommunications software in the network 100 may actually send the messageor update as one or more packets to many nodes as part of a single hop.

[0105] After the message is copied to another node by step 606, anoptional step 608 deletes the copy on the current node. If the copydeleting step 608 is always performed, then one copy of the message 400roves around the network. In a variation, the first execution of step600 stores a large number of message copies on network nodes, with oneor more copy per node, and then each of those copies roves withoutspawning any further copies. On the other hand, if the copy deletingstep 608 is never performed then copies of a message 400 proliferaterapidly, spreading in an expanding tree from the node that accepted themessage 400 during step 200. Of course, intermediate approaches are alsopossible, with message 400 copies spawned every X hops or every Yminutes, for instance.

[0106] In FIGS. 6 and 7, the system tests disclosure conditions duringstep 204 and discloses the message information during step 206 if one ormore disclosure conditions are satisfied. The system also tests deletionconditions during a step 610 and deletes the message during a step 612if one or deletion conditions are satisfied. Deletion conditions anddisclosure conditions were discussed in connection with FIGS. 3 through5.

[0107] Poised Message Storage

[0108]FIGS. 8 and 9 illustrate methods employing a “poised message”approach to the message storing step 202. In a manner similar to FIGS. 6and 7, we presently assume that embodiments according to FIG. 9 usedisclosure conditions which depend on at least one message update, whileembodiments according to FIG. 8 do not. In practice, a given inventivesystem may employ either or both approaches. Note that some embodimentswill accept an update 1000 having a designated effective date evenbefore a message 400 to which the update applies is accepted by thesystem. That is, steps 208 and 210 may precede steps 200 and 202 in somecases.

[0109] The major difference between poised messages 400 and rovingmessages 400 lies in the nature and frequency of the message storingstep 202. As discussed above, roving messages 400 move about the networkindefinitely and may spawn copies of themselves as they go. By contrast,poised messages 400 reach their ultimate destination in one hop, or atmost a very few initial hops, and then stay at that address while theyawait message updates 1000 and/or triggering conditions.

[0110] For instance, one of the methods illustrated by FIG. 8 proceedsas follows: after an initial message acceptance step 200 and messagestorage step 202, the system goes into a loop which tests for disclosureconditions at least once each day during the step 204. If a disclosurecondition is found, the sensitive information is disclosed during step206 and the method terminates.

[0111] In a variation, the message checks for deletion conditions afterthe disclosure, and terminates with step 612 after a deletion conditionis found. Disclosure may be a deletion condition, or the occurrence ofan event that might be provoked by disclosure could be a deletioncondition. Receipt of an authentic message update 1000 which requestsdeletion could also be a deletion condition.

[0112] In another variation, the system goes into a loop which tests inturn for disclosure conditions and for deletion conditions during steps204 and 610. The system performs the test each time a certain dynamiclibrary module or software component is loaded and initialized forservice. Many other variations are also possible.

[0113] One message storing step 200 suitable for storing poised messagesuses two hops for each copy of a given message that is being stored. Allcopies of a given message 400 are sent out concurrently, or nearly so,and the first copy, which is on the message accepting node, is thenoptionally deleted. The copy destinations for the first hop (or in thecase of N hops, the destinations for the first N−1 hops) are generatedrandomly or quasi-randomly. Indeed, if updates are also being sent forthe message (FIG. 9), then the first hop (or first N−1 hops) taken bythe updates 1000 will generally not follow the same node-to-node pathsas the paths that were taken by the message 400 copies. In someembodiments, this flurry of apparently randomly addressed updatetransmissions includes decoy updates which do not contain updateinformation, but exist instead to provide cover for the actual updates1000.

[0114] The destination address for the last hop is generated or selectedusing authentication information 512 and a message copy index. Themessage copy index distinguishes at least some copies of a given message400 from other copies of the message 400 that are being stored by thesystem. In the simplest case, the index is just increasing integers,identifying copy 1, copy 2, . . . , copy k of the given message 400. Butthe message copy index may also follow a sequence other than 1, 2, 3, .. . , such as counting by sevens, or using the Fibonacci sequence 1, 1,2, 3, 5, 8, . . . .

[0115] As a result, all message 400 copies are ultimately sent todestination nodes that can be identified if one has the authenticationinformation 512 and knows how message copy index values are assigned.Even if updates 1000 take different paths than the message 400 copiesthey target, the updates and the copies ultimately arrive at the samedestinations. In a variation, updates 1000 are also sent to locationsthat do not hold a message 400 copy, but every location holding amessage 400 copy also receives at least one update 1000.

[0116] Sending out messages 400 and updates 1000 along paths having oneor more random hops at the beginning of the path makes it more difficultto locate all copies of a message 400 by simply monitoring transmissionsfrom the message accepting node and/or monitoring updates 1000 sent bythe information provider from any given node. Knowing the initialdestination of the message 400 copies and the updates 1000 does not helpthe eavesdropper determine the present location of the message 400copies.

[0117] Example Message Update Formats

[0118]FIG. 10 illustrates formats for message updates 1000 which areproduced by the message update accepting step 208. As with the messageformats shown in FIGS. 4 and 5, some of the components shown areoptional in some embodiments, and components may also appear indifferent orders. Updates 1000 may also include components not shown inFIG. 10. In particular, some message updates 1000 include address lists,traveling program code and/or data similar to the component 500, and/orinstructions for a message 400 to change its security approach bychanging file disguises or changing between poised and roving storage,for instance.

[0119] In the illustrated embodiment, one or more digital signatures1002 are provided to allow message 400 copies or associated “hiddenchoir” software to detect tampering with message updates 1000 and thusavoid relying on fraudulent updates 1000. The digital signature(s) 1002may also be used to authenticate the update 1000 to the message 400copies. As with the digital signatures 402 in messages 400, the digitalsignatures 1002 in updates 1000 may be generated by the inventivesystem, by the provider of the sensitive information, or both, and mayvary in nature and scope between embodiments.

[0120] A message update 1000 provides one or more of the followingfunctions: preventing message disclosure, triggering message disclosure,triggering message deletion, and instructing the message copies tochange their security approach. An embodiment need not support all ofthese functions.

[0121] To prevent message disclosure in an embodiment which uses a“deadman switch” approach, a secrecy renewal 1004 may be included inupdates 1000 that are sent to at least the same locations as themessages 400. A digitally signed timestamp or other tool analogous tothose familiar in the art is used to prevent replay attacks in the formof unauthorized repetition of an earlier secrecy renewal in lace of amissing renewal. If authentic, the secrecy renewal in effect tells themessage 400 or associated software that “your creator is still healthyand does not wish the sensitive information to be disclosed yet.”Conversely, messages 400 may be configured with a reverse deadmanswitch, so that disclosure happens only if an authentic disclosuretrigger 1006 is received by the message 400.

[0122] As noted, capabilities involving disclosure conditions anddeletion conditions are somewhat similar, so a deletion trigger 1008 mayalso be used in some embodiments. On the other hand, an embodiment mayalso support “uncancelable” messages, in the sense that a message 400which has been accepted cannot later be withdrawn even if the user whoprovided the information to the system wishes to cancel the message andprevent disclosure. This is accomplished by ignoring deletion triggers1008 and deletion conditions 412, or by not supporting them at all. Thisprovides a safeguard against message cancellation under duress.

[0123] In one embodiment, an option to delete a message 400 isapparently presented to the information provider. However, in accordancewith a condition previously specified by the information provider,invoking the option will actually result in an emergency action, such asan email for help or a disclosure of selected information, rather thandeletion without disclosure. Thus, an information provider who is underduress may secretly call for help or take other action that would not bepermitted if performed openly.

[0124] Message Update Storage

[0125] The same tools and techniques discussed in connection withstorage of roving messages 400 and poised messages 400 may be used forcorresponding updates 1000 to such messages 400. In addition, or as analternative, a system may use searching updates 1000 which do not followthe path of a message 400 copy and cannot determine the path taken by agiven message 400. These searching updates 1000 are not targeted at aspecific message 400 copy, but instead traverse the network 100searching for corresponding message 400 copies.

[0126] When a message 400 copy is found, the searching update 1000 actson the copy, subject to authentication. If the conditions for disclosureor deletion are met, for instance, the searching update 1000 and/ormessage 400 copy perform the triggered action; if not, the searchingupdate 1000 moves on to the next node, checks for a message 400 copy,and so on. The searching update 1000 may be implemented using robots,agents, crawlers, or other traveling software tasks that roam thenetwork. The traversal method used by the searching update 1000 shouldeventually lead it to every location that might harbor a message 400copy. This may be accomplished using the teachings herein in conjunctionwith familiar graph search algorithms, for instance.

[0127] If the number of locations to search is large, the traversal maytake considerable time, so searching updates 1000 are not necessarilythe best choice when time is of the essence. However, searching updates1000 may advantageously make it more difficult to follow an update 1000directly to a message 400 copy and thereby reduce the risk ofunauthorized actions.

[0128] In a manner similar to traversal by a searching update, anunauthorized search-and-destroy program could roam the network 100trying to locate message 400 copies. Accordingly, message 400 copiesshould be named obscurely and/or be located in obscure places (or inobvious places in file disguised form) so that even if their networknode address is known, their existence is not necessarily revealed. Thena search-and-destroy attacker will not necessarily be able to locate themessage 400 copies themselves even if the attacker uses the sametraversal methods as searching updates 1000 to locate nodes likely tocontain message 400 copies.

[0129] Tools and techniques used by viruses, worms, Trojan horseprograms and the like may be adapted to disguise message 400 copies. Inaddition, when encrypting a message 400, the message 400 may bereformatted in the guise of a *.c, *.h, *.cpp, *.hpp, *.asm, *.ini,*.DLL, OLE, COM, Java, or other software component or file of a typecommonly found on the network 100. Such file disguises include using theappropriate file name extension and other naming conventions for thefile type chosen, and may also involve providing the expected internalsyntax for the file's contents; hidden information can be placed in asource code file comment, for instance, or in executable code file datasections. Unless a search-and-destroy program is prepared to test boththe syntax and the semantics of each file it encounters (and even thenrisk erroneously deleting a file which is not a message 400), disguisingthe message 400 copies in this manner will substantially reduce the riskof their unauthorized removal or disclosure. Of course, the messageupdate 1000 (whether a searching update or otherwise) must be able toidentify message 400 copies, so any message update 1000 should be madedifficult to capture and difficult to reverse engineer. Capture of amessage update 1000 can be made difficult by using a small number ofsuch updates 1000 and by drawing on tools and techniques used by virusesand the like. Message update 1000 reverse engineering can be madedifficult by using self-modifying code, time-out loops that detectdelays caused by debugger traps and then scramble memory, and othertechniques.

[0130] In some embodiments, the updates 1000 are sent only to nodes thatshould also contain a message 400 corresponding to the update 1000. Insuch cases, it may happen that the expected message 400 is not there.This unexpected omission can be ignored, or it can be reported to atrusted administrator and/or to the information provider.

[0131] It may also happen that the update 1000 finds the message 400 atthe expected location but a digital signature comparison revealstampering with the message 400 and/or the update 1000. In such cases,the system may take various actions, according to previously programmeddefaults or options specified when the message 400 was stored. Forinstance, software may raise an alarm by notifying the informationprovider and/or some other party, or it may disclose the message 400information earlier than it otherwise would have done. AdditionalMessage and Update Transmission Considerations Computers in the systemmay in general be either servers 102, clients 104, or a mixture ofservers and clients. Methods of passing messages 400 and updates 1000may vary according to whether the sender and transmitter are server orclient or a mixture. For instance, agents or servlets or other tasks maybe transmitted more readily in some instances while files which are notexecutable are more readily transmitted in others.

[0132] Although the messages 400 and updates 1000 may be implementedusing agents, crawlers, servlets, or various forms of traveling program,the transmittals 400, 1000 need not include executable code in everysystem according to the invention. Some embodiments transmit primarilynon-executable messages 400 and updates 1000, while others transmit onlynon-executable messages 400 and updates 1000. In such embodiments, atask or agent or other local “hidden choir” software resides on eachnode and performs one or more of the functions discussed above, namely,receiving messages and updates, transmitting messages and/or updates toother nodes, testing disclosure and/or deletion conditions, and carryingout disclosure and/or deletion as indicated.

[0133] The local software may be dispersed through the network 100 nodeson an as-need, autonomous basis, that is, without any node knowing thelocation of every piece of the inventive software. This dispersal may beaccomplished in a manner similar to dispersal of executable messages 400or updates 1000 discussed above in connection with roving messages.

[0134] The local software may also be dispersed through the nodes in acentrally managed way, so that a central contract index or other listidentifies all nodes (or at least all local networks) which havesoftware in place to receive and manage messages 400 and updates 1000.Naturally, the existence of such a list poses a threat to the continuedsurvival of messages 400 and updates 1000. However, the threat can bereduced by protecting the confidentiality of the list (both itsexistence and its contents); by making the list of nodes numerous andvaried as to platform, entity, and security requirements; by seeding thelist with nodes containing tracking software that reports attemptedoperations to a trusted administrator; by using only a subset of thelisted nodes for any given message, thereby raising the cost ofunauthorized access attempts forcing any infiltration to attack nodesthat contain no messages; and perhaps by other precautions as well.

[0135] Summary

[0136] In summary, the present invention provides a novel system andmethod for controlling the disclosure of sensitive information. Copiesof the information are hidden throughout a network. Disclosure of theinformation may be triggered when an expected secrecy renewal does notarrive, indicating that the information provider is in trouble and/orwishes the previously safeguarded information to be released. Disclosuremay also be delayed, perhaps indefinitely, unless expressly triggered bythe information provider or another authorized user. In short,information is kept secret until specified conditions are met and isthen disclosed in a specified manner.

[0137] The Figures show a particular order and grouping for method stepsof the invention. However, those of skill will appreciate that the stepsillustrated and discussed in this document may be performed in variousorders, including concurrently, except in those cases in which theresults of one step are required as input to another step. Likewise,steps may be omitted unless called for in the claims, regardless ofwhether they are expressly described as optional here. Steps may also berepeated, or combined, or named differently. Both headings andreferences to discussions of a given topic elsewhere in the applicationare for convenience only.

[0138] Although particular methods embodying the present invention areexpressly illustrated and described herein, it will be appreciated thatapparatus, signal, and article embodiments may be formed according tomethods of the present invention. For instance, discussion of themessage formats 400 illustrates method steps, message signals, andcomputing systems configured with inventive software to read and writesuch formats. Unless otherwise expressly indicated, the descriptionherein of methods of the present invention therefore extends tocorresponding apparatus, signals, and articles, and the description ofapparatus, signals, and articles of the present invention extendslikewise to corresponding methods.

[0139] Although reference is made to software and/or hardware and/orsystems, it will be appreciated that the inventive functionality may beprovided by various combinations of one or more of the following:compiled software, interpretable code such as byte codes, fully linkedexecutable code, dynamically loaded libraries, COM or OLE or Java orother components, firmware, microcode, ASICs, PALs, RAM, processors,environment variables, command line parameters, initialization orconfiguration files, and other software and hardware components, tools,and techniques known in the arts.

[0140] The invention may be embodied in other specific forms withoutdeparting from its essential characteristics. The described embodimentsare to be considered in all respects only as illustrative and notrestrictive. Any explanations provided herein of the scientificprinciples employed in the present invention are illustrative only. Thescope of the invention is, therefore, indicated by the appended claimsrather than by the foregoing description. All changes which come withinthe meaning and range of equivalency of the claims are to be embracedwithin their scope.

What is claimed and desired to be secured by patent is:
 1. A method forcontrolling disclosure of sensitive information provided by aninformation provider, comprising the steps of: obtaining at least onedisclosure condition; hiding copies of the sensitive information in anetwork at locations not disclosed to the information provider; checkingat least once for occurrence of the disclosure condition; and ifoccurrence of the disclosure condition is detected then disclosing atleast a portion of the sensitive information.
 2. The method of claim 1 ,wherein the sensitive information is hidden by encryption.
 3. The methodof claim 1 , wherein the sensitive information is hidden by a filedisguise.
 4. The method of claim 1 , wherein the hiding step hides atleast ten copies of the sensitive information.
 5. The method of claim 1, wherein the hiding step hides at least one hundred copies of thesensitive information.
 6. The method of claim 1 , wherein the hidingstep hides at l east one thousand copies of the sensitive information.7. The method of claim 1 , wherein the hiding step creates at least oneroving message copy.
 8. The method of claim 1 , wherein the hiding stepcreates at least one poised message copy.
 9. The method of claim 1 ,further comprising the steps of: obtaining at least one deletioncondition; checking at least once for occurrence of the deletioncondition; and if occurrence of the deletion condition is detected thendeleting at least a portion of the sensitive information.
 10. The methodof claim 9 , wherein cancellation by the information provider is adeletion condition, and the user requests such cancellation.
 11. Themethod of claim 1 , further comprising the steps of accepting a messageupdate and storing the message update.
 12. The method of claim 1 ,wherein the message update is a searching update which is not directedat a particular copy of the corresponding message to be updated.
 13. Themethod of claim 1 , wherein the message update is directed at aparticular copy of a corresponding roving message to be updated.
 14. Themethod of claim 1 , wherein the message update is directed at aparticular copy of a corresponding poised message to be updated.
 15. Themethod of claim 1 , wherein at least a portion of the sensitiveinformation is disclosed using at least one destination specified by theinformation provider.
 16. The method of claim 15 , wherein a regiondestination was specified by the information provider and disclosureincludes disclosure in that region.
 17. The method of claim 15 , whereina deadman switch disclosure condition was specified by the informationprovider and disclosure is triggered by that condition.
 18. The methodof claim 1 , wherein at least a portion of the sensitive information isdisclosed using at least one format specified by the informationprovider.
 19. A computer system comprising a network, message storagemeans for storing in the network copies of a message, and messagedisclosure means for disclosing the message if a predefined condition isdetected.
 20. The system of claim 19 , wherein the message storage meanscomprises an encryption means for encrypting at least one messagecomponent.
 21. The system of claim 19 , wherein the message storagemeans comprises a digital signature means for digitally signing at leastone message component.
 22. The system of claim 19 , wherein the messagestorage means comprises code to send a notice to a specified emailaddress after the message has been stored.
 23. The system of claim 19 ,wherein the message disclosure means comprises an email messagegenerator for creating and mailing at least one email message containinga copy of at least a portion of the stored message.
 24. The system ofclaim 19 , wherein the message disclosure means comprises a web pagegenerator for creating and posting at least a portion of a web pagecontaining a copy of at least a portion of the stored message.
 25. Thesystem of claim 19 , wherein the message disclosure means comprises codefor detecting a deadman switch for triggering disclosure.
 26. The systemof claim 19 , wherein the message disclosure means comprises code fordetecting a reverse deadman switch for triggering disclosure.
 27. Thesystem of claim 19 , wherein the network includes a local area network.28. The system of claim 19 , wherein the network includes ageographically dispersed network and at least two copies of the messageare geographically dispersed in the network.
 29. The system of claim 19, wherein the network includes nodes on different continents and atleast two copies of the message are stored on different continents inthe network.
 30. The system of claim 19 , further comprising a means forchanging the location of message copies.
 31. The system of claim 19 ,further comprising a means for placing message copies in at least onefile disguise.
 32. The system of claim 19 , further comprising a messagedeletion means for deleting message copies.
 33. The system of claim 32 ,wherein the message deletion means comprises a means for performing anemergency action in response to an apparent deletion request.
 34. Thesystem of claim 32 , wherein the message deletion means comprises acancellation means for deleting all stored message copies.
 35. Thesystem of claim 34 , wherein the cancellation means requiresauthentication information which confirms that the source of thecancellation request is the same as the source of the message to becanceled.
 36. The system of claim 19 , further comprising a messageupdate storage means for storing message updates.
 37. The system ofclaim 36 , wherein the message update storage means comprises code forcreating decoy updates.
 38. The system of claim 36 , wherein the messageupdate storage means comprises code for creating at least one secrecyrenewal.
 39. The system of claim 36 , wherein the message update storagemeans comprises code for creating at least one address marker.
 40. Thesystem of claim 36 , wherein the message update storage means comprisescode for creating at least one searching update.
 41. The system of claim36 , wherein the message update storage means comprises code forcreating at least one update to a roving message.
 42. The system ofclaim 36 , wherein the message update storage means comprises code forcreating at least one update to a poised message.
 43. A signal embodiedin a network for controlled message disclosure, the signal comprising asensitive information component and a disclosure condition component.44. The signal of claim 43 , wherein at least the sensitive informationcomponent is encrypted.
 45. The signal of claim 43 , wherein at leastthe sensitive information component is compressed.
 46. The signal ofclaim 43 , wherein at least the sensitive information component isdigitally signed.
 47. The signal of claim 43 , further comprising adestination component.
 48. The signal of claim 43 , further comprising adisclosure format component.
 49. The signal of claim 43 , furthercomprising an identification component.
 50. The signal of claim 43 ,further comprising a traveling program component.
 51. The signal ofclaim 43 , further comprising a deletion condition component.
 52. Thesignal of claim 43 , further comprising code for monitoring conditionsto determine if disclosure or deletion is appropriate.
 53. The signal ofclaim 52 , wherein the code operates independently of any message updatesignals.
 54. A computer storage medium having a configuration thatrepresents data and instructions which will cause at least a portion ofa computer system to perform method steps for controlled messagedisclosure, the method steps comprising the steps of: obtaining at leastone disclosure condition; storing copies of a message in a network;checking for occurrence of the disclosure condition; and if occurrenceof the disclosure condition is detected then disclosing at least aportion of the message.
 55. The storage medium of claim 54 , wherein thestoring step comprises placing a copy of the message in a file disguise.56. The storage medium of claim 54 , wherein the storing step stores atleast one thousand copies of the message.
 57. The storage medium ofclaim 54 , wherein the storing step stores at least one roving messagecopy.
 58. The storage medium of claim 54 , wherein the storing stepstores at least one poised message copy.
 59. The storage medium of claim54 , wherein the method further comprises the steps of: obtaining atleast one deletion condition; checking for occurrence of the deletioncondition; and if occurrence of the deletion condition is detected thenlocating copies of the message and deleting all located copies of themessage.
 60. The storage medium of claim 54 , wherein the method furthercomprises the steps of accepting a message update and storing themessage update.
 61. The storage medium of claim 54 , wherein at least aportion of the message is disclosed to at least one destination.
 62. Thestorage medium of claim 61 , wherein disclosure includes sending a copyof at least a sensitive information component of the message to an emaildestination.